Virus on flash drive, Avira and Spybot scan and still "Cannot find Setup.pif"

Status
Not open for further replies.

hellokitty[hk]

Posts: 3,413   +145
I put my flash drive into an infected computer (a WHOLE ton of viruses, don't ask, silly me...) and put it back on my computer (seemingly clean, Avira and Spybot scan). When i double click on the removable disk from my computer, it says "Cannot find Setup.pif" or something of that like, happens on every clean computer now, though I've never left my flash drive on a clean computer for very long. The worst part is that now my computer doesn't give me the error anymore while all other computers do. I ran a full scan on the flash drive using Avira and I ran a whole system scan with spybot, all clean they says. I accidentally confirmed the virus: on a clean computer, I pluged it in and a virus alert came up and told me my flash drive was infected. I was in a hurry so I was too lazy to catch what antivirus it was.

I wouldn't mind reformatting the drive, but I would prefer not to because I would have to move all the files to my computer, format, then put them back on, maybe even put the virus back.

My flash drive doens't exhibit any strange behavior and I don't see any suspicious files.

I just went into Avira's expert mode, turned detection levels to high, disabled smart extension list, enabled archive scanning...and I am running another scan on the flash drive, which i just finished.

Scan results:
First, a lot of false positives, I know they are not actual viruses, but I did quarantine anyway.
SecondI got about seven "I:\System Volume Information\_restore{9B9B2D1D-46D-4DA8-BF21-A0DC8436EF7F}\RP395\A0164933.exe"s, with a slightly different string of numbers in the "A0164933.exe". I thought I deleted those in the last scan last week. Avira says four are "TR/Drop.QuickBatch.U.3", "TR/Drop.QuickBatch.U.1", "TR/Drop.QuickBatch.U.4", TR/Drop.QuickBatch.U.5" and another is "APPL/PsExec.F", another is "WORM/Generic.9771.1" and the last is "TR/Horse.ZW", if that helps at all.
Actually, I found
Hi Florean

This is a worm called as AHKheap by Sophos

KAV 7.0.0.124 can remove this worm I tried it and it works for me. Try removing using KAV if you are still unable to remove it then try it manually

Try the following steps

Press open the task manager and look for SVCHOST there should be only five SVCHOST running. Terminate Other SVCHOST which run under your user name / Administrator.

then open the explorer bar and type C:\heap4a and press enter
A folder will open this is a hidden folder and you cannot see it even by modifying folder options.

delete all the files in the folder.

then run regedit

in regedit search for 'heap' you will get two registry entries for the search (search Twice) delete these entries.

Now the worm is removed from your PC. But it may still be in your removable drive. So delete the 'autorun.ini' in your removable drive.

That's all Folks..............
Ok, I just found out the autorun file said to run setup.pif. I guess that means the clean computers do not have the virus, but my computer doesn't give me the error anymore!
 

Bobbye

Posts: 16,314   +36
I put my flash drive into an infected computer (a WHOLE ton of viruses, don't ask, silly me...)

I accidentally confirmed the virus: on a clean computer, I pluged it in and a virus alert came up and told me my flash drive was infected. I was in a hurry so I was too lazy to catch what antivirus it was.

First, a lot of false positives, I know they are not actual viruses, but I did quarantine anyway.
How do you know they were false positives? And if they were, why did you quarantine them?

"I:\System Volume Information\_restore
The malware is in the System Restore points. You can't 'delete' them. Instructions for removal will follow the cleaning.

Press open the task manager and look for SVCHOST there should be only five SVCHOST running. Terminate Other SVCHOST which run under your user name / Administrator.
This is grossly incorrect.

All the sites coming up for KAV 7.0.0.124 are Torrent sites> file sharing and/or crack sites. Whoever sent that information is not looking out for your best interest.

TR/Drop.QuickBatch
This IS a Trojan. If you downloaded a crack for program, that is likely where you got it.

IF you decide to get serious about cleaning, follow the Steps HERE.

When finished, attach the three logs.
 

hellokitty[hk]

Posts: 3,413   +145
How do you know they were false positives? And if they were, why did you quarantine them?
I quarrentined them so there is no need to question me about the false positives and because I don't need the programs right now. Yes I know what all the programs are, and if it helps their all marked by heuristic means and not actual virus detections.
Ok, guess I will just follow the steps...
 
Status
Not open for further replies.